||||
Symantec.com > Business > Security Response > Attack Signatures > MS MSDTC UserAllocate BO
PRINT THIS PAGE

MS MSDTC UserAllocate BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to exploit a vulnerability in the MSDTC component.

Additional Information

The Microsoft Windows Microsoft Distribution Transaction Coordinator (MSDTC) service is prone to a memory corruption vulnerability. The specific issue exists in the MSDTC interface proxy (MSDTCPRX.DLL). The proxy exposes the affected {906B0CE0-C70B-1067-B317-00DD010662DA} v1.0 RPC interface.

This issue could allow for execution of arbitrary code in the context of the service. The vulnerability may be remotely exploitable in some circumstances but will also permit local privilege escalation.

The cause of the issue is that users may influence the amount of memory that is allocated by the vulnerable component. This may be exploited to overwrite memory management control structures. In this manner, the attacker may execute arbitrary code in the context of the MSDTC service. This service is accessible over the network if Network DTC is enabled, and may potentially be exposed through RPC.

This issue is remotely exploitable on Windows 2000 platforms, since the Network DTC is enabled by default on this platform. On Windows XP SP1, this issue may be remotely exploitable if a local user has started the service. The service may be started by any local user unless it has been explicitly disabled. On Windows Server 2003, this vulnerability is limited to local privilege escalation unless Network DTC has been explicitly enabled by an administrator. This issue is not present on Windows XP SP2 and Windows Server 2003 SP1.

A new vulnerability but similar was recently reported,affecting the MSDTC serviceAlthough corrected in MS05-051, additional memory added in the allocater for memory accounting was not accounted for. These additional 8 bytes can be overwritten.These issues will kill the process and DoS the service.This signature covers a new issue affecting the MSDTC service(CVE-2006-1184)

Affected

  • Avaya DefinityOne Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya IP600 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya Unified Communication Center
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Resource Kit
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server Japanese Edition
  • Microsoft Windows 2000 Terminal Services SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Workstation rev.2031, rev.2072, rev.2195, SP1, SP2, SP3
  • Microsoft Windows 95 Build 490.R6, j, SP1, SR2
  • Microsoft Windows 98 a, b, j, SP1
  • Microsoft Windows 98 With Plus! Pack
  • Microsoft Windows 98SE
  • Microsoft Windows CE 2.0, 3.0, 4.2
  • Microsoft Windows ME
  • Microsoft Windows NT 3.5, 3.5.1, 3.5.1 SP1, 3.5.1 SP2, 3.5.1 SP3, 3.5.1 SP4, 3.5.1 SP5, 3.5.1 SP5 alpha, 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP1 alpha, 4.0 SP2, 4.0 SP2 alpha, 4.0 SP3, 4.0 SP3 alpha, 4.0 SP4, 4.0 SP4 alpha, 4.0 SP5, 4.0 SP5 alpha, 4.0 SP6, 4.0 SP6 alpha, 4.0 SP6a, 4.0 SP6a alpha
  • Microsoft Windows NT 4.0 Option Pack
  • Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter x64 Edition
  • Microsoft Windows Server 2003 Enterprise Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise x64 Edition
  • Microsoft Windows Server 2003 Standard Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Standard x64 Edition
  • Microsoft Windows Server 2003 Web Edition SP1, SP1 Beta 1
  • Microsoft Windows Vista beta
  • Microsoft Windows XP
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Embedded SP1
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Media Center Edition SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition SP1, SP2

Response

Workaround:

The MSDTC service may be disabled if it is not explicitly required. It is also possible to disable Network DTC access. See the attached Microsoft Security Bulletin for details on how to apply these workarounds.

Disable COM Internet Services and RPC over HTTP if they are not explicitly required.

Solution:

Microsoft has released a security bulletin to address this issue on supported platforms.

Avaya has released advisory ASA-2005-214 to state which Avaya products are affected by the October 2005 release of Microsoft Windows security updates. See the referenced advisory for further information.

Microsoft Windows 2000 Advanced Server SP4:
Microsoft Patch Security Update for Windows 2000 (KB902400)

Microsoft Windows 2000 Professional SP4:
Microsoft Patch Security Update for Windows 2000 (KB902400)

Microsoft Windows 2000 Server SP4:
Microsoft Patch Security Update for Windows 2000 (KB902400)

Microsoft Windows Server 2003 Enterprise Edition:
Microsoft Patch Security Update for Windows Server 2003 (KB902400)

Microsoft Windows Server 2003 Enterprise Edition 64-bit:
Microsoft Patch Security Update for Windows Server 2003 64-bit Itanium Edition (KB902400)

Microsoft Windows Server 2003 Enterprise x64 Edition:
Microsoft Patch Security Update for Windows Server x64 Edition (KB902400) - English

Microsoft Windows Server 2003 Standard Edition:
Microsoft Patch Security Update for Windows Server 2003 (KB902400)

Microsoft Windows Server 2003 Standard x64 Edition:
Microsoft Patch Security Update for Windows Server x64 Edition (KB902400) - English

Microsoft Windows Server 2003 Web Edition:
Microsoft Patch Security Update for Windows Server 2003 (KB902400)

Microsoft Windows XP Home SP1:
Microsoft Patch Security Update for Windows XP (KB902400)

Microsoft Windows XP Media Center Edition SP1:
Microsoft Patch Security Update for Windows XP (KB902400)

Microsoft Windows XP Professional SP1:
Microsoft Patch Security Update for Windows XP (KB902400)

Microsoft Windows XP Professional x64 Edition:
Microsoft Patch Security Update for Windows XP x64 Edition (KB902400)

Microsoft Windows XP Tablet PC Edition SP1:
Microsoft Patch Security Update for Windows XP (KB902400)

Possible False Positives

There are no known false positives associated with this signature.

Additional References



©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS